CN115801473A - Knowledge graph-based malicious flow identification method and device for power monitoring system - Google Patents
Knowledge graph-based malicious flow identification method and device for power monitoring system Download PDFInfo
- Publication number
- CN115801473A CN115801473A CN202310101461.7A CN202310101461A CN115801473A CN 115801473 A CN115801473 A CN 115801473A CN 202310101461 A CN202310101461 A CN 202310101461A CN 115801473 A CN115801473 A CN 115801473A
- Authority
- CN
- China
- Prior art keywords
- flow
- traffic
- malicious
- identification result
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 50
- 238000000034 method Methods 0.000 title claims description 35
- 230000002159 abnormal effect Effects 0.000 claims abstract description 43
- 238000013145 classification model Methods 0.000 claims abstract description 31
- 238000001514 detection method Methods 0.000 claims abstract description 18
- 238000010276 construction Methods 0.000 claims abstract description 8
- 238000013528 artificial neural network Methods 0.000 claims description 6
- 238000012549 training Methods 0.000 claims description 6
- 239000000284 extract Substances 0.000 abstract description 2
- 230000008569 process Effects 0.000 description 5
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000013527 convolutional neural network Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011176 pooling Methods 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The scheme provided by the application extracts the flow characteristics of network flow through the collected network flow of the power monitoring system, and then the flow characteristic map is constructed through a knowledge map construction mode, then the data connection type between entities is detected through data connection type detection logic, according to the detected quantity difference between real connection and virtual connection, a preliminary abnormal flow judgment result is obtained, when abnormal flow exists, the abnormal flow is used as the input of a malicious flow classification model, whether the abnormal flow is malicious flow is identified by the malicious flow classification model, the technical scheme provided by the application can improve the identification success rate of the malicious flow, and the safety of the power monitoring system is improved.
Description
Technical Field
The application relates to the technical field of network security, in particular to a method and a device for recognizing malicious traffic of an electric power monitoring system based on a knowledge graph.
Background
With the continuous development of power monitoring systems, the network data traffic of the systems is continuously increasing every year, and the network security problem is also receiving wide attention and attention in recent years.
The network security protection means of the current power monitoring system mainly and intensively applies network security protection devices, such as a firewall, an isolation device, an encryption device, an IPS (intrusion detection system), an IDS (IDS) and the like, and protection is mainly carried out through an expert database or a preset rule base. However, with the advent of increasingly complex and variable network environments, an attacker disguises malicious traffic through advanced means such as traffic spoofing, which increases the difficulty of identification, and causes the technical problems that the existing protection means is difficult to identify and protect at the first time and has poor security.
Disclosure of Invention
The application provides a knowledge graph-based malicious flow identification method and device for an electric power monitoring system, which are used for solving the technical problem of poor safety of the existing protection means.
In order to solve the technical problem, a first aspect of the present application provides a method for identifying malicious traffic of an electric power monitoring system based on a knowledge graph, including:
monitoring the flow state of an electric power monitoring system, and collecting the network flow of the electric power monitoring system;
constructing a flow characteristic map according to the flow characteristics of the network flow, wherein the flow characteristic map comprises the incidence relation between a source end and a destination end of the network flow;
detecting the data connection type of each data message between the source end and the destination end through a data connection type detection logic according to the flow characteristic map, wherein the data connection type comprises: real connection and virtual connection;
counting the number of real connections and virtual connections according to the detection result, and determining the primary flow identification result between the source end and the destination end according to the difference of the number of real connections and virtual connections;
and when the flow preliminary identification result is abnormal, inputting the network flow between the source end and the destination end into a malicious flow classification model so as to obtain a malicious flow identification result through the malicious flow classification model, wherein the malicious flow classification model is a neural network classification model obtained based on preset flow characteristic sample training.
Preferably, the determining, according to the difference between the number of the real connections and the number of the virtual connections, a result of preliminarily identifying the traffic between the source end and the destination end specifically includes:
and calculating the ratio of the number of real connections to the number of virtual connections, if the ratio is lower than a preset ratio threshold, determining that the initial identification result of the flow between the source end and the target end is abnormal, otherwise, determining that the initial identification result of the flow between the source end and the target end is normal.
Preferably, the determining, according to the difference between the number of the real connections and the number of the virtual connections, a result of preliminarily identifying the traffic between the source end and the destination end specifically includes:
calculating a difference value between the real connection quantity and the virtual connection quantity, if the real connection quantity is less than the virtual connection quantity and the difference value exceeds a preset difference threshold value, determining that a preliminary flow identification result between the source end and the target end is abnormal, otherwise, determining that the preliminary flow identification result between the source end and the target end is normal.
Preferably, constructing a traffic characteristic map according to the network traffic specifically includes:
and determining a source end and a destination end of entity relationship link flow according to the source address and the destination address characteristics of the network flow and by combining the entity and the entity relationship of the network security flow knowledge base, and constructing flow characteristic maps of the source end and the destination end.
Preferably, obtaining the malicious traffic identification result further includes:
extracting the flow characteristics of the malicious flow according to the malicious flow identification result, and constructing a malicious flow characteristic map;
and tracing the source of the malicious traffic by combining the entity relationship constructed by the network security traffic knowledge base based on the malicious traffic characteristic map.
The second aspect of the present application provides a malicious traffic identification apparatus for an electric power monitoring system based on a knowledge graph, including:
the system comprises a flow acquisition unit, a flow monitoring unit and a flow control unit, wherein the flow acquisition unit is used for monitoring the flow state of an electric power monitoring system and acquiring the network flow of the electric power monitoring system;
a traffic characteristic map construction unit, configured to construct a traffic characteristic map according to traffic characteristics of the network traffic, where the traffic characteristic map includes an association relationship between a source end and a destination end of the network traffic;
an entity data connection type determining unit, configured to detect, according to the traffic feature map, a data connection type of each data packet between the source end and the destination end through a data connection type detection logic, where the data connection type includes: real connection and virtual connection;
the abnormal flow identification unit is used for counting the number of real connections and virtual connections according to a detection result and determining a flow preliminary identification result between the source end and the destination end according to the difference of the number of the real connections and the number of the virtual connections;
and the malicious traffic identification unit is used for inputting the network traffic between the source end and the destination end into a malicious traffic classification model when the primary traffic identification result is abnormal, so as to obtain a malicious traffic identification result through the malicious traffic classification model, wherein the malicious traffic classification model is a neural network classification model obtained based on preset traffic characteristic sample training.
Preferably, the abnormal traffic identification unit is specifically configured to:
and calculating the ratio of the number of real connections to the number of virtual connections, if the ratio is lower than a preset ratio threshold, determining that the initial identification result of the flow between the source end and the target end is abnormal, otherwise, determining that the initial identification result of the flow between the source end and the target end is normal.
Preferably, the abnormal traffic identification unit is specifically configured to:
calculating a difference value between the real connection quantity and the virtual connection quantity, if the real connection quantity is less than the virtual connection quantity and the difference value exceeds a preset difference threshold value, determining that a preliminary flow identification result between the source end and the target end is abnormal, otherwise, determining that the preliminary flow identification result between the source end and the target end is normal.
Preferably, the flow characteristic map construction unit is specifically configured to:
and determining a source end and a destination end of entity relationship link flow according to the source address and the destination address of the network flow and by combining the entity and the entity relationship of the network security flow knowledge base, and constructing a flow characteristic map of the source end and the destination end.
Preferably, the method further comprises the following steps:
and the malicious flow tracing unit is used for extracting flow characteristics of malicious flow according to a malicious flow identification result, constructing a malicious flow characteristic map, and tracing the malicious flow based on the malicious flow characteristic map and the entity relationship constructed by combining the network security flow knowledge base.
According to the technical scheme, the method has the following advantages:
the scheme provided by the application extracts the flow characteristics of the network flow through the collected network flow of the power monitoring system, and then constructs a flow characteristic map through a knowledge map construction mode, and then detects the logic detection and the data connection type between the entities through the data connection type, and obtains an initial abnormal flow judgment result according to the quantity difference of the detected real connection and virtual connection, when abnormal flow exists, the abnormal flow is used as the input of a malicious flow classification model, and the malicious flow classification model is used for identifying whether the abnormal flow is malicious flow, so that the identification success rate of the malicious flow can be improved through the technical scheme provided by the application, and the safety of the power monitoring system is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a schematic flowchart of a basic embodiment of a method for identifying malicious traffic in a power monitoring system based on a knowledge graph according to the present application.
Fig. 2 is a schematic flowchart of a specific embodiment of a method for identifying malicious traffic of an electric power monitoring system based on a knowledge graph according to the present application.
Fig. 3 is a schematic structural diagram of an embodiment of a power monitoring system malicious traffic identification device based on a knowledge graph according to the present application.
Detailed Description
The embodiment of the application provides a knowledge graph-based malicious flow identification method and device for an electric power monitoring system, and is used for solving the technical problem that the existing protection means is poor in safety.
In order to make the objects, features and advantages of the present invention more apparent and understandable, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the embodiments described below are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, a first aspect of the present application provides a method for identifying malicious traffic of a power monitoring system based on a knowledge graph, including:
It should be noted that the network traffic and the host log in the power monitoring system are collected by monitoring the traffic state of the power monitoring system, and the network traffic in the power monitoring system is collected by using the traffic mirroring, the host log collection, and the like.
And 102, constructing a flow characteristic map according to the flow characteristics of the network flow.
The traffic characteristic map includes an association relationship between a source end and a destination end of the network traffic.
It should be noted that the knowledge graph is a novel knowledge representation method, and is essentially a technical method for describing the association relationship between knowledge and all things in the modeling world by using a graph model, and the semantic network representing the entity relationship is constructed by representing the specific relationship between different entities by nodes and edges in the form of a graph.
This step is to construct a knowledge graph of network traffic characteristics, i.e., a traffic characteristic graph, using the traffic characteristics of the network traffic based on the network traffic obtained in step 101.
And 103, detecting the data connection type of each data message between the source end and the destination end through the data connection type detection logic according to the flow characteristic map.
Wherein the data connection types include: real connections and virtual connections.
And 104, counting the number of real connections and virtual connections according to the detection result, and determining a flow primary identification result between the source end and the destination end according to the difference of the number of real connections and virtual connections.
It should be noted that, in this embodiment, the real/virtual connection detection logic and the preliminary determination method mentioned in step 103 and step 104 specifically refer to two entities of a source address and a destination address constructed in a graph, and first traverse the entity relationship between all response messages of the two entities in a fixed time window period to establish real connection and virtual connection; if the serial numbers of the response messages are correspondingly matched, the connection is judged to be real connection, otherwise, the connection is virtual connection, then the number difference between the real connection and the virtual connection between the source address and the destination address of the data message is counted and analyzed based on the detection result, whether the network flow between the two entities is abnormal or not is judged, and if yes, the corresponding flow data is marked as abnormal flow.
And 105, when the flow primary identification result is abnormal, inputting the network flow between the source end and the destination end into a malicious flow classification model so as to obtain a malicious flow identification result through the malicious flow classification model.
The malicious traffic classification model is a neural network classification model obtained based on preset traffic characteristic sample training.
And then, according to the preliminary identification result obtained in the step 104, if abnormal traffic exists, the abnormal traffic is used as an input quantity of a malicious traffic classification model, and the features of the abnormal traffic are identified by using the trained malicious traffic classification model, so that a corresponding malicious traffic identification result is obtained.
More specifically, the malicious traffic classification model mentioned in this embodiment may refer to the following example in the model construction process:
preprocessing a third party or a preset data set to obtain a data set characteristic reference map, and performing numerical value normalization processing;
constructing convolutional neural network convolutional layers in the form of:
wherein the content of the first and second substances,lthe current layer, b is the bias of the current layer, k is a convolution kernel, and M is a convolution window corresponding to the jth convolution kernel;
constructing a convolutional neural network pooling layer in the form of:
wherein down (.) is a subsampling function, and β and b are the network parameters and the bias of the feature map, respectively;
and constructing a full connection layer, inputting the learned malicious traffic characteristics as a classifier through the full connection layer, and outputting the output result as the identification result of the malicious traffic.
The above is a detailed description of a basic embodiment of a method for recognizing malicious traffic of an electric power monitoring system based on a knowledge graph provided by the present application, and the following is a further description of the basic embodiment of the method for recognizing malicious traffic of an electric power monitoring system based on a knowledge graph provided by the present application.
Referring to fig. 2, a further description of the method for recognizing malicious traffic in an electric power monitoring system based on a knowledge graph according to the present embodiment includes:
further, the step 102 mentioned in the previous embodiment of building the traffic characteristic map according to the network traffic may be subdivided into:
according to the source address and the destination address characteristics of the network flow, determining a source end and a destination end of entity relationship link flow by combining the entity and the entity relationship of a network security flow knowledge base, and constructing a flow characteristic map of the source end and the destination end.
The traffic characteristic map is used for recording network traffic characteristics in history and a fixed time window period, and based on the entity and entity relationship of a network security traffic knowledge base, an entity relationship is created to link a traffic source end and a destination end based on a source address and a destination address, and the traffic characteristic maps of the traffic source end and the destination end are constructed.
The network security traffic knowledge base can be a third-party knowledge base based on a universal vulnerability enumeration base (CWE), a national information security breach base (CNNVD) and the like, and can be updated offline periodically or in combination with malicious traffic characteristics identified by the scheme provided by the embodiment, so that incremental updating of knowledge of the network security traffic knowledge base is completed, and the network security traffic knowledge base becomes a complete unified knowledge base.
Further, in step 104 of the previous embodiment, the step of determining the preliminary traffic identification result between the source end and the destination end according to the difference between the number of real connections and the number of virtual connections specifically includes:
and calculating the ratio of the real connection quantity to the virtual connection quantity, if the ratio is lower than a preset ratio threshold, determining that the initial identification result of the flow between the source end and the target end is abnormal, otherwise, determining that the initial identification result of the flow between the source end and the target end is normal.
Or
And calculating the difference value between the real connection quantity and the virtual connection quantity, if the real connection quantity is less than the virtual connection quantity and the difference value exceeds a preset difference threshold value, determining that the primary flow identification result between the source end and the target end is abnormal, and otherwise, determining that the primary flow identification result between the source end and the target end is normal.
In addition, as for the determination method of the abnormal flow rate, the preferred method provided by the present embodiment is: respectively counting the number of real connections and virtual connections based on the data connection type detection result obtained in the preorder step, calculating the ratio of the real connections to the virtual connections, wherein the smaller the ratio is, the smaller the number of the real connections is, the larger the number of the virtual connections is, and when the ratio of the real connections to the virtual connections is lower than a threshold value, the network traffic between the two entities can be judged to be abnormal, so that the traffic can be marked as abnormal traffic. Furthermore, in addition to the embodiment of measuring the number difference of real connections and virtual connections by ratio provided in the above example, the difference value may also be used to measure the number difference of real connections and virtual connections in some scenarios.
Further, step 105 may be followed by:
and 106, extracting the flow characteristics of the malicious flow according to the malicious flow identification result, and constructing a malicious flow characteristic map.
And 107, tracing the source of the malicious traffic based on the malicious traffic characteristic map and in combination with an entity relationship established by a network security traffic knowledge base.
It should be noted that, on the basis of providing the scheme for identifying the malicious traffic, the embodiment may further utilize the malicious traffic characteristics based on the identified malicious traffic, and in combination with the entity relationship established by the network security traffic knowledge base to discover the complete path of the network attack, the malicious operation, and the host vulnerability information, so as to form a malicious traffic characteristic map, which is used for tracing the malicious traffic and the attack, and performing tracing visual display and alarm reminding on the malicious attacker based on the traffic characteristic map, the malicious traffic characteristic map, and the dimension information of the network security traffic knowledge base.
The above is a detailed description of a specific embodiment of the method for identifying malicious traffic of an electrical power monitoring system based on a knowledge graph provided by the present application, and the following is a detailed description of an embodiment of the apparatus for identifying malicious traffic of an electrical power monitoring system based on a knowledge graph provided by the present application.
Referring to fig. 3, the present embodiment provides a device for recognizing malicious traffic of an electric power monitoring system based on a knowledge graph, including:
the flow acquisition unit 201 is configured to monitor a flow state of the power monitoring system and acquire a network flow of the power monitoring system;
a traffic characteristic map constructing unit 202, configured to construct a traffic characteristic map according to traffic characteristics of the network traffic, where the traffic characteristic map includes an association relationship between a source end and a destination end of the network traffic;
an entity data connection type determining unit 203, configured to detect, according to the traffic characteristic map, a data connection type of each data packet between the source end and the destination end through a data connection type detection logic, where the data connection type includes: real connection and virtual connection;
an abnormal traffic identification unit 204, configured to count the number of real connections and virtual connections according to the detection result, and determine a preliminary traffic identification result between the source end and the destination end according to the difference between the number of real connections and the number of virtual connections;
and a malicious traffic identification unit 205, configured to, when the preliminary traffic identification result is abnormal, input network traffic between the source end and the destination end to a malicious traffic classification model, so as to obtain a malicious traffic identification result through the malicious traffic classification model, where the malicious traffic classification model is a neural network classification model obtained based on preset traffic characteristic sample training.
Further, the abnormal traffic identification unit 204 is specifically configured to:
and calculating the ratio of the real connection quantity to the virtual connection quantity, if the ratio is lower than a preset ratio threshold, determining that the initial identification result of the flow between the source end and the target end is abnormal, otherwise, determining that the initial identification result of the flow between the source end and the target end is normal.
Further, the abnormal traffic identification unit 204 is specifically configured to:
and calculating the difference value between the real connection quantity and the virtual connection quantity, if the real connection quantity is less than the virtual connection quantity and the difference value exceeds a preset difference threshold value, determining that the primary flow identification result between the source end and the target end is abnormal, and otherwise, determining that the primary flow identification result between the source end and the target end is normal.
Further, the flow characteristic map construction unit 202 is specifically configured to:
and determining a source end and a destination end of entity relationship link flow according to a source address and a destination address of the network flow and by combining the entity and the entity relationship of the network security flow knowledge base, and constructing a flow characteristic map of the source end and the destination end.
Further, still include:
the malicious flow tracing unit 206 is configured to extract flow features of the malicious flow according to the malicious flow identification result, construct a malicious flow feature map, and trace the source of the malicious flow based on the malicious flow feature map and an entity relationship constructed by the network security flow knowledge base.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the terminal, the apparatus and the unit described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed terminal, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The terms "first," "second," "third," "fourth," and the like in the description of the application and the above-described figures, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are, for example, capable of operation in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.
Claims (10)
1. A power monitoring system malicious traffic identification method based on knowledge graph is characterized by comprising the following steps:
monitoring the flow state of an electric power monitoring system, and collecting the network flow of the electric power monitoring system;
constructing a flow characteristic map according to the flow characteristics of the network flow, wherein the flow characteristic map comprises the incidence relation between a source end and a destination end of the network flow;
detecting the data connection type of each data message between the source end and the destination end through a data connection type detection logic according to the flow characteristic map, wherein the data connection type comprises: real connection and virtual connection;
counting the number of real connections and virtual connections according to the detection result, and determining a flow primary identification result between the source end and the destination end according to the difference of the number of real connections and virtual connections;
and when the flow preliminary identification result is abnormal, inputting the network flow between the source end and the destination end into a malicious flow classification model so as to obtain a malicious flow identification result through the malicious flow classification model, wherein the malicious flow classification model is a neural network classification model obtained based on preset flow characteristic sample training.
2. The method as claimed in claim 1, wherein the determining the preliminary traffic identification result between the source end and the destination end according to the difference between the number of the real connections and the number of the virtual connections specifically includes:
and calculating the ratio of the number of real connections to the number of virtual connections, if the ratio is lower than a preset ratio threshold, determining that the initial identification result of the flow between the source end and the target end is abnormal, otherwise, determining that the initial identification result of the flow between the source end and the target end is normal.
3. The method as claimed in claim 1, wherein the determining the preliminary traffic identification result between the source end and the destination end according to the difference between the number of the real connections and the number of the virtual connections specifically includes:
calculating a difference value between the real connection quantity and the virtual connection quantity, if the real connection quantity is less than the virtual connection quantity and the difference value exceeds a preset difference threshold value, determining that a preliminary flow identification result between the source end and the target end is abnormal, otherwise, determining that the preliminary flow identification result between the source end and the target end is normal.
4. The method for identifying malicious traffic of a power monitoring system based on a knowledge graph according to claim 1, wherein constructing a traffic feature graph according to the network traffic specifically comprises:
and determining a source end and a destination end of entity relationship link flow according to the source address and the destination address of the network flow and by combining the entity and the entity relationship of the network security flow knowledge base, and constructing a flow characteristic map of the source end and the destination end.
5. The method for identifying malicious traffic of a power monitoring system based on knowledge graph according to claim 4, wherein obtaining the result of identifying malicious traffic further comprises:
extracting flow characteristics of the malicious flow according to the malicious flow identification result, and constructing a malicious flow characteristic map;
and tracing the source of the malicious flow by combining the entity relationship constructed by the network security flow knowledge base based on the malicious flow characteristic map.
6. A knowledge graph-based malicious traffic identification device for a power monitoring system is characterized by comprising:
the system comprises a flow acquisition unit, a flow monitoring unit and a flow control unit, wherein the flow acquisition unit is used for monitoring the flow state of an electric power monitoring system and acquiring the network flow of the electric power monitoring system;
a traffic characteristic map construction unit, configured to construct a traffic characteristic map according to traffic characteristics of the network traffic, where the traffic characteristic map includes an association relationship between a source end and a destination end of the network traffic;
an entity data connection type determining unit, configured to detect, according to the traffic feature map, a data connection type of each data packet between the source end and the destination end through a data connection type detection logic, where the data connection type includes: real connection and virtual connection;
the abnormal flow identification unit is used for counting the number of real connections and virtual connections according to a detection result and determining a flow preliminary identification result between the source end and the destination end according to the difference of the number of the real connections and the number of the virtual connections;
and the malicious traffic identification unit is used for inputting the network traffic between the source end and the destination end into a malicious traffic classification model when the primary traffic identification result is abnormal, so as to obtain a malicious traffic identification result through the malicious traffic classification model, wherein the malicious traffic classification model is a neural network classification model obtained based on preset traffic characteristic sample training.
7. The apparatus according to claim 6, wherein the abnormal traffic identification unit is specifically configured to:
and calculating the ratio of the number of real connections to the number of virtual connections, if the ratio is lower than a preset ratio threshold, determining that the initial identification result of the flow between the source end and the target end is abnormal, otherwise, determining that the initial identification result of the flow between the source end and the target end is normal.
8. The apparatus according to claim 6, wherein the abnormal traffic identification unit is specifically configured to:
calculating a difference value between the real connection quantity and the virtual connection quantity, if the real connection quantity is less than the virtual connection quantity and the difference value exceeds a preset difference threshold value, determining that a preliminary flow identification result between the source end and the target end is abnormal, otherwise, determining that the preliminary flow identification result between the source end and the target end is normal.
9. The apparatus according to claim 6, wherein the traffic feature map construction unit is specifically configured to:
and determining a source end and a destination end of entity relationship link flow according to the source address and the destination address of the network flow and by combining the entity and the entity relationship of the network security flow knowledge base, and constructing flow characteristic maps of the source end and the destination end.
10. The apparatus according to claim 9, further comprising:
and the malicious flow tracing unit is used for extracting flow characteristics of malicious flow according to a malicious flow identification result, constructing a malicious flow characteristic map, and tracing the malicious flow based on the malicious flow characteristic map and the entity relationship constructed by combining the network security flow knowledge base.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310101461.7A CN115801473A (en) | 2023-02-13 | 2023-02-13 | Knowledge graph-based malicious flow identification method and device for power monitoring system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310101461.7A CN115801473A (en) | 2023-02-13 | 2023-02-13 | Knowledge graph-based malicious flow identification method and device for power monitoring system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115801473A true CN115801473A (en) | 2023-03-14 |
Family
ID=85430901
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310101461.7A Pending CN115801473A (en) | 2023-02-13 | 2023-02-13 | Knowledge graph-based malicious flow identification method and device for power monitoring system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115801473A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112910851A (en) * | 2021-01-16 | 2021-06-04 | 中国电子科技集团公司第十五研究所 | Data packet marking and tracing device based on knowledge graph |
| CN113612763A (en) * | 2021-07-30 | 2021-11-05 | 北京交通大学 | Network attack detection device and method based on network security malicious behavior knowledge base |
| CN114760212A (en) * | 2022-05-10 | 2022-07-15 | 深圳大学 | SDN-based DDoS attack detection and mitigation method and system |
-
2023
- 2023-02-13 CN CN202310101461.7A patent/CN115801473A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112910851A (en) * | 2021-01-16 | 2021-06-04 | 中国电子科技集团公司第十五研究所 | Data packet marking and tracing device based on knowledge graph |
| CN113612763A (en) * | 2021-07-30 | 2021-11-05 | 北京交通大学 | Network attack detection device and method based on network security malicious behavior knowledge base |
| CN114760212A (en) * | 2022-05-10 | 2022-07-15 | 深圳大学 | SDN-based DDoS attack detection and mitigation method and system |
Non-Patent Citations (2)
| Title |
|---|
| 王勇;周慧怡;俸皓;叶苗;柯文龙;: "基于深度卷积神经网络的网络流量分类方法" * |
| 赵新辉等: "基于链路监控的SDN恶意流量检测与防御" * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109818942B (en) | User account abnormity detection method and device based on time sequence characteristics | |
| CN107483455B (en) | Flow-based network node anomaly detection method and system | |
| CN107579956B (en) | User behavior detection method and device | |
| CN111401416B (en) | Abnormal website identification method and device and abnormal countermeasure identification method | |
| CN106469276B (en) | Type identification method and device of data sample | |
| CN109598509A (en) | The recognition methods of risk clique and device | |
| CN116305168B (en) | Multi-dimensional information security risk assessment method, system and storage medium | |
| CN112435137B (en) | Cheating information detection method and system based on community mining | |
| CN109218321A (en) | A kind of network inbreak detection method and system | |
| CN112487208A (en) | Network security data association analysis method, device, equipment and storage medium | |
| CN109313541A (en) | For showing and the user interface of comparison attacks telemetering resource | |
| CN110717551A (en) | Training method and device of flow identification model and electronic equipment | |
| CN106301979B (en) | Method and system for detecting abnormal channel | |
| CN115001934A (en) | Industrial control safety risk analysis system and method | |
| CN112437034B (en) | False terminal detection method and device, storage medium and electronic device | |
| CN116366374A (en) | Security assessment method, system and medium for power grid network management based on big data | |
| CN110598959A (en) | Asset risk assessment method and device, electronic equipment and storage medium | |
| KR100609707B1 (en) | Method for analyzing security condition by representing network events in graphs and apparatus thereof | |
| CN109194622B (en) | Encrypted flow analysis feature selection method based on feature efficiency | |
| CN115801473A (en) | Knowledge graph-based malicious flow identification method and device for power monitoring system | |
| CN111565377B (en) | Security monitoring method and device applied to Internet of things | |
| CN114153713A (en) | User behavior detection method and device and computer equipment | |
| CN110098983B (en) | Abnormal flow detection method and device | |
| CN113591922A (en) | Behavior recognition method and device, electronic equipment and storage medium | |
| CN111782908A (en) | WEB violation operation behavior detection method based on data mining cluster analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20230314 |
|
| RJ01 | Rejection of invention patent application after publication |